Millions of hotel users see personal information checked out in massive data breach
- CyberNews researchers have discovered a massive data breach
- The dataset contained the information of more than 24 million customers. It was probably owned by the Honotel hotel chain
A leaked dataset containing more than 24 million hotel records has been discovered CyberNews researcherswith names, email addresses, telephone numbers and detailed accommodation information such as arrival time, number of guests and price paid.
There are strong indications that the dataset is owned by Honotel Group, a French hospitality investment and management firm.
The data specifically mentions ‘SITE HONOTEL’, researchers confirmed, as do booking platforms such as Booking.com – suggesting the leaked database may be part of Honotel’s booking management system.
Guests in danger
Researchers discovered the suspected Honotel leak on October 4, 2024, and the leak was patched on October 7, 2024, so at least the organization acted quickly after the disclosure notice was sent.
It’s not clear how long the data was available or whether threat actors discovered or stole anything, but the information was discovered on an unprotected Elasticsearch server and Kibana interface.
This puts both the customer and the company at risk. For the customer, the risk when personally identifiable information (PII) is compromised is the risk of fraud and identity theft, as malicious actors can use the data to take out loans, leverage bank accounts, or even conduct social engineering attacks against the customer. develop victims.
For the company, like the FTC fines, European companies face GDPR regulations that could result in fines of up to 4% of a company’s global annual revenue if best security practices are not put in place to protect PII.
This comes not long after major incidents led the FTC to order hotel chains Marriott and Starwood to implement more robust security measures after 344 million customers were exposed to a major data breach. Marriott systems remained exposed for up to four years, earning the company a $52 million fine from the FTC in 2024.